grafana/pkg/api/dashboard_acl_test.go

package api

import (
	"testing"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/components/simplejson"
	"github.com/grafana/grafana/pkg/models"

	. "github.com/smartystreets/goconvey/convey"
)

func TestDashboardAclApiEndpoint(t *testing.T) {
	Convey("Given a dashboard acl", t, func() {
		mockResult := []*models.DashboardAcl{
			{Id: 1, OrgId: 1, DashboardId: 1, UserId: 2, Permission: models.PERMISSION_VIEW},
			{Id: 2, OrgId: 1, DashboardId: 1, UserId: 3, Permission: models.PERMISSION_EDIT},
			{Id: 3, OrgId: 1, DashboardId: 1, UserId: 4, Permission: models.PERMISSION_ADMIN},
			{Id: 4, OrgId: 1, DashboardId: 1, UserGroupId: 1, Permission: models.PERMISSION_VIEW},
			{Id: 5, OrgId: 1, DashboardId: 1, UserGroupId: 2, Permission: models.PERMISSION_ADMIN},
		}
		dtoRes := transformDashboardAclsToDTOs(mockResult)

		bus.AddHandler("test", func(query *models.GetDashboardAclInfoListQuery) error {
			query.Result = dtoRes
			return nil
		})

		bus.AddHandler("test", func(query *models.GetDashboardAclInfoListQuery) error {
			query.Result = mockResult
			return nil
		})

		userGroupResp := []*models.UserGroup{}
		bus.AddHandler("test", func(query *models.GetUserGroupsByUserQuery) error {
			query.Result = userGroupResp
			return nil
		})

		Convey("When user is org admin", func() {
			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardsId/acl", models.ROLE_ADMIN, func(sc *scenarioContext) {
				Convey("Should be able to access ACL", func() {
					sc.handlerFunc = GetDashboardAclList
					sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 200)

					respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())
					So(err, ShouldBeNil)
					So(len(respJSON.MustArray()), ShouldEqual, 5)
					So(respJSON.GetIndex(0).Get("userId").MustInt(), ShouldEqual, 2)
					So(respJSON.GetIndex(0).Get("permission").MustInt(), ShouldEqual, models.PERMISSION_VIEW)
				})
			})
		})

		Convey("When user is editor and has admin permission in the ACL", func() {
			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardId/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {
				mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_ADMIN})

				Convey("Should be able to access ACL", func() {
					sc.handlerFunc = GetDashboardAclList
					sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 200)
				})
			})

			loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/1", "/api/dashboards/id/:dashboardId/acl/:aclId", models.ROLE_EDITOR, func(sc *scenarioContext) {
				mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_ADMIN})

				bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {
					return nil
				})

				Convey("Should be able to delete permission", func() {
					sc.handlerFunc = DeleteDashboardAcl
					sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 200)
				})
			})

			Convey("When user is a member of a user group in the ACL with admin permission", func() {
				loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/1", "/api/dashboards/id/:dashboardsId/acl/:aclId", models.ROLE_EDITOR, func(sc *scenarioContext) {
					userGroupResp = append(userGroupResp, &models.UserGroup{Id: 2, OrgId: 1, Name: "UG2"})

					bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {
						return nil
					})

					Convey("Should be able to delete permission", func() {
						sc.handlerFunc = DeleteDashboardAcl
						sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()

						So(sc.resp.Code, ShouldEqual, 200)
					})
				})
			})
		})

		Convey("When user is editor and has edit permission in the ACL", func() {
			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardId/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {
				mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_EDIT})

				Convey("Should not be able to access ACL", func() {
					sc.handlerFunc = GetDashboardAclList
					sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 403)
				})
			})

			loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/1", "/api/dashboards/id/:dashboardId/acl/:aclId", models.ROLE_EDITOR, func(sc *scenarioContext) {
				mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_EDIT})

				bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {
					return nil
				})

				Convey("Should be not be able to delete permission", func() {
					sc.handlerFunc = DeleteDashboardAcl
					sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 403)
				})
			})
		})

		Convey("When user is editor and not in the ACL", func() {
			loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardsId/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {

				Convey("Should not be able to access ACL", func() {
					sc.handlerFunc = GetDashboardAclList
					sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 403)
				})
			})

			loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/user/1", "/api/dashboards/id/:dashboardsId/acl/user/:userId", models.ROLE_EDITOR, func(sc *scenarioContext) {
				mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_VIEW})
				bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {
					return nil
				})

				Convey("Should be not be able to delete permission", func() {
					sc.handlerFunc = DeleteDashboardAcl
					sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()

					So(sc.resp.Code, ShouldEqual, 403)
				})
			})
		})
	})
}

func transformDashboardAclsToDTOs(acls []*models.DashboardAcl) []*models.DashboardAclInfoDTO {
	dtos := make([]*models.DashboardAclInfoDTO, 0)

	for _, acl := range acls {
		dto := &models.DashboardAclInfoDTO{
			Id:          acl.Id,
			OrgId:       acl.OrgId,
			DashboardId: acl.DashboardId,
			Permission:  acl.Permission,
			UserId:      acl.UserId,
			UserGroupId: acl.UserGroupId,
		}
		dtos = append(dtos, dto)
	}

	return dtos
}
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`package api`

			`import (`
			`"testing"`

			`"github.com/grafana/grafana/pkg/bus"`
			`"github.com/grafana/grafana/pkg/components/simplejson"`
			`"github.com/grafana/grafana/pkg/models"`

			`. "github.com/smartystreets/goconvey/convey"`
			`)`

			`func TestDashboardAclApiEndpoint(t *testing.T) {`
			`Convey("Given a dashboard acl", t, func() {`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`mockResult := []*models.DashboardAcl{`
dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00			`{Id: 1, OrgId: 1, DashboardId: 1, UserId: 2, Permission: models.PERMISSION_VIEW},`
			`{Id: 2, OrgId: 1, DashboardId: 1, UserId: 3, Permission: models.PERMISSION_EDIT},`
			`{Id: 3, OrgId: 1, DashboardId: 1, UserId: 4, Permission: models.PERMISSION_ADMIN},`
			`{Id: 4, OrgId: 1, DashboardId: 1, UserGroupId: 1, Permission: models.PERMISSION_VIEW},`
			`{Id: 5, OrgId: 1, DashboardId: 1, UserGroupId: 2, Permission: models.PERMISSION_ADMIN},`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`}`
dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00			`dtoRes := transformDashboardAclsToDTOs(mockResult)`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00
refactoring more renaming 2017-06-20 05:30:54 +08:00			`bus.AddHandler("test", func(query *models.GetDashboardAclInfoListQuery) error {`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`query.Result = dtoRes`
			`return nil`
			`})`

acl fixes 2017-06-23 05:10:43 +08:00			`bus.AddHandler("test", func(query *models.GetDashboardAclInfoListQuery) error {`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`query.Result = mockResult`
			`return nil`
			`})`

refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`userGroupResp := []*models.UserGroup{}`
WIP: add permission check for GetDashboard 2017-06-12 21:48:55 +08:00			`bus.AddHandler("test", func(query *models.GetUserGroupsByUserQuery) error {`
refactoring dashboard folder security checks 2017-06-20 03:22:42 +08:00			`query.Result = userGroupResp`
WIP: add permission check for GetDashboard 2017-06-12 21:48:55 +08:00			`return nil`
			`})`

WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`Convey("When user is org admin", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardsId/acl", models.ROLE_ADMIN, func(sc *scenarioContext) {`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`Convey("Should be able to access ACL", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = GetDashboardAclList`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 200)`

			`respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())`
			`So(err, ShouldBeNil)`
dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00			`So(len(respJSON.MustArray()), ShouldEqual, 5)`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`So(respJSON.GetIndex(0).Get("userId").MustInt(), ShouldEqual, 2)`
dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00			`So(respJSON.GetIndex(0).Get("permission").MustInt(), ShouldEqual, models.PERMISSION_VIEW)`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`})`
			`})`
			`})`

dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00			`Convey("When user is editor and has admin permission in the ACL", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardId/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {`
dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00			`mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_ADMIN})`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`Convey("Should be able to access ACL", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = GetDashboardAclList`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 200)`
			`})`
			`})`

folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/1", "/api/dashboards/id/:dashboardId/acl/:aclId", models.ROLE_EDITOR, func(sc *scenarioContext) {`
dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00			`mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_ADMIN})`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00
refactoring renaming dashboard folder operations 2017-06-20 05:15:25 +08:00			`bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`return nil`
			`})`

			`Convey("Should be able to delete permission", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = DeleteDashboardAcl`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 200)`
			`})`
			`})`

dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00			`Convey("When user is a member of a user group in the ACL with admin permission", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/1", "/api/dashboards/id/:dashboardsId/acl/:aclId", models.ROLE_EDITOR, func(sc *scenarioContext) {`
dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00			`userGroupResp = append(userGroupResp, &models.UserGroup{Id: 2, OrgId: 1, Name: "UG2"})`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00
refactoring renaming dashboard folder operations 2017-06-20 05:15:25 +08:00			`bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`return nil`
			`})`

			`Convey("Should be able to delete permission", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = DeleteDashboardAcl`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 200)`
			`})`
			`})`
			`})`
			`})`

dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00			`Convey("When user is editor and has edit permission in the ACL", func() {`
			`loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardId/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {`
			`mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_EDIT})`

			`Convey("Should not be able to access ACL", func() {`
			`sc.handlerFunc = GetDashboardAclList`
			`sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 403)`
			`})`
			`})`

			`loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/1", "/api/dashboards/id/:dashboardId/acl/:aclId", models.ROLE_EDITOR, func(sc *scenarioContext) {`
			`mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_EDIT})`

			`bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {`
			`return nil`
			`})`

			`Convey("Should be not be able to delete permission", func() {`
			`sc.handlerFunc = DeleteDashboardAcl`
			`sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 403)`
			`})`
			`})`
			`})`

WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`Convey("When user is editor and not in the ACL", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling GET on", "GET", "/api/dashboards/id/1/acl", "/api/dashboards/id/:dashboardsId/acl", models.ROLE_EDITOR, func(sc *scenarioContext) {`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`Convey("Should not be able to access ACL", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = GetDashboardAclList`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 403)`
			`})`
			`})`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`loggedInUserScenarioWithRole("When calling DELETE on", "DELETE", "/api/dashboards/id/1/acl/user/1", "/api/dashboards/id/:dashboardsId/acl/user/:userId", models.ROLE_EDITOR, func(sc *scenarioContext) {`
dashboard acl work 2017-06-22 02:11:16 +08:00			`mockResult = append(mockResult, &models.DashboardAcl{Id: 1, OrgId: 1, DashboardId: 1, UserId: 1, Permission: models.PERMISSION_VIEW})`
refactoring renaming dashboard folder operations 2017-06-20 05:15:25 +08:00			`bus.AddHandler("test3", func(cmd *models.RemoveDashboardAclCommand) error {`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`return nil`
			`})`

			`Convey("Should be not be able to delete permission", func() {`
folders: changed api urls for dashboard acls 2017-06-20 06:11:30 +08:00			`sc.handlerFunc = DeleteDashboardAcl`
WIP: delete permission in API 2017-05-22 16:36:47 +08:00			`sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()`

			`So(sc.resp.Code, ShouldEqual, 403)`
			`})`
			`})`
WIP: get Dashboard Permissions The guardian class checks if the user is allowed to get the permissions for a dashboard. 2017-05-08 21:35:34 +08:00			`})`
			`})`
			`}`
dashfolders: new admin permission needed to view/change acl 2017-06-23 05:01:04 +08:00
			`func transformDashboardAclsToDTOs(acls []models.DashboardAcl) []models.DashboardAclInfoDTO {`
			`dtos := make([]*models.DashboardAclInfoDTO, 0)`

			`for _, acl := range acls {`
			`dto := &models.DashboardAclInfoDTO{`
			`Id: acl.Id,`
			`OrgId: acl.OrgId,`
			`DashboardId: acl.DashboardId,`
			`Permission: acl.Permission,`
			`UserId: acl.UserId,`
			`UserGroupId: acl.UserGroupId,`
			`}`
			`dtos = append(dtos, dto)`
			`}`

			`return dtos`
			`}`